lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <Y6Kthn+rIUnCEJWz@gondor.apana.org.au>
Date:   Wed, 21 Dec 2022 14:53:58 +0800
From:   Herbert Xu <herbert@...dor.apana.org.au>
To:     Eric Biggers <ebiggers@...nel.org>
Cc:     Roberto Sassu <roberto.sassu@...weicloud.com>, dhowells@...hat.com,
        davem@...emloft.net, zohar@...ux.ibm.com,
        dmitry.kasatkin@...il.com, paul@...l-moore.com, jmorris@...ei.org,
        serge@...lyn.com, linux-integrity@...r.kernel.org,
        linux-security-module@...r.kernel.org, keyrings@...r.kernel.org,
        linux-crypto@...r.kernel.org, linux-kernel@...r.kernel.org,
        Roberto Sassu <roberto.sassu@...wei.com>,
        Tadeusz Struk <tadeusz.struk@...el.com>
Subject: [v2 PATCH] lib/mpi: Fix buffer overrun when SG is too long

On Tue, Dec 20, 2022 at 08:30:16PM +0000, Eric Biggers wrote:
>
> > Tried, could not boot the UML kernel.
> > 
> > After looking, it seems we have to call sg_miter_stop(). Or alternatively,
> > we could let sg_miter_next() be called but not writing anything inside the
> > loop.
> > 
> > With either of those fixes, the tests pass (using one scatterlist).

Thanks for the quick feedback Roberto!

> I think it should look like:
> 
> 	while (nbytes) {
> 		sg_miter_next(&miter);
> 		...
> 	}
> 	sg_miter_stop(&miter);

You're right Eric.  However, we could also do it by simply not
checking nbytes since we already set nents according to nbytes
at the top of the function.

---8<---
The helper mpi_read_raw_from_sgl sets the number of entries in
the SG list according to nbytes.  However, if the last entry
in the SG list contains more data than nbytes, then it may overrun
the buffer because it only allocates enough memory for nbytes.

Fixes: 2d4d1eea540b ("lib/mpi: Add mpi sgl helpers")
Reported-by: Roberto Sassu <roberto.sassu@...weicloud.com>
Signed-off-by: Herbert Xu <herbert@...dor.apana.org.au>

diff --git a/lib/mpi/mpicoder.c b/lib/mpi/mpicoder.c
index 39c4c6731094..157ef532a6a2 100644
--- a/lib/mpi/mpicoder.c
+++ b/lib/mpi/mpicoder.c
@@ -504,7 +501,8 @@ MPI mpi_read_raw_from_sgl(struct scatterlist *sgl, unsigned int nbytes)
 
 	while (sg_miter_next(&miter)) {
 		buff = miter.addr;
-		len = miter.length;
+		len = min_t(unsigned, miter.length, nbytes);
+		nbytes -= len;
 
 		for (x = 0; x < len; x++) {
 			a <<= 8;
-- 
Email: Herbert Xu <herbert@...dor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ